I am wondering what is your professional opinion, how do you see its happening, will the PCI-DSS will become a standart that is followed by most of the companies no matter if they do payments processing or not. We all know that PCI-DSS became a standart based on best practice that some big companies decided to be and made them official.

I think that many companies are following the ISO 17799 / 27001 guidelines today. Much of PCI is common sense, like other best practices standards. I think that some companies are incorporating some of the concepts already. I am not sure if everything in PCI will apply to every business. I think that if PCI becomes the defacto standard for most companies, it will be a morfed version that will carry another name.

Last edited by Ketchup on Fri Feb 05, 2010 5:40 pm, edited 1 time in total.

as far as I know, for the business i' have audited includes hotels and retailing. This includes also in the region you're in, for example this is compulsory in the States, whereas in Asia, the awareness is somewhat, still lacking.

These are the two which PCI is a must due to the regulation from VISA/MC/Amex etc. Not all business will need to go into PCI unless you're in that the following tiers:

# Tier 1: The highest volume merchants, which submit 6 million or more transactions per year.# Tier 2: Merchants that submit 1-6 million transactions per year.# Tier 3: Merchants that submit 20,000 to 1 million e-commerce transactions per year.# Level 4: Merchants submitting less than 20,000 e-commerce transactions per year, and all other merchants up to 1 million transactions per year

Will PCI become a standard for everyone..... hmmm good question, but I honestly think no, but its a step in the right direction.

As already stated PCI:DSS is only focused on payment card information, so its a narrow scope, and does not have interest in any area where this form of information is not resident or flowing. The PCI standard is still relatively new, and will of course continue to be developed and improved, but adoption is still relatively low and often misunderstood. Yes everyone who processes card data should be doing the PCI dance, but if their acquirer isnt making the push companies are not doing it, and when they do its a slow going process, and most often a minimal tick box approach.

All of these standards are best practice and common sense, some are mandated, and some are optional. Organisations still dont fully understand security benefits, its an overhead, and rarely done properly. If people who need to be PCI compliant expanded the requirements to fill their organisation this would be a good start to improved security, but I think we are some way away from this.